APD/GBA - 42/2020
|APD/GBA - 42/2020|
|Relevant Law:||Article 2(1) GDPR|
Article 4(7) GDPR
Article 6(1)(f) GDPR
|National Case Number/Name:||42/2020|
|European Case Law Identifier:||n/a|
|Original Language(s):||Dutch |
|Original Source:||GBA (in NL) |
APD (in FR)
Belgium DPA looked into the complaint of a person whose Facebook profile picture was shared by the defendant by email without his consent. The organization that shared the picture was looking to comply with the prior judgement of the Sports Court prohibiting the complainant from attending training sessions, championships or other competitions organized by one defendant. Belgium DPA decided that this kind of processing was allowed under the legal basis of legitimate interest of the controller.
English Summary[edit | edit source]
Facts[edit | edit source]
On 25 of February 2019 the complainant has submitted a complaint against Organization 2. The essence of the complaint was: screenshot of his Facebook profile picture was shared by Organization 2 without his consent. The complainant asserted that his profile picture was not publicly available. On 8 July 2019 DPA declared the complaint admissible. On 23 July 2019 the Disputes Chamber decided that the file was ready to be considered on the merits. On 4 September 2019 the Disputes Chamber received the response of both organizations involved in this processing (defendants). On 8 October 2019 the Disputes Chamber received the conclusion response of the complainant, limiting the subject of the complaint to the sharing of the picture via email. On 30 October 2019 Disputes Chamber accepted another comment from the defendants, stating that the complainant violated article 124 of the electronic communications law by deliberately accessing the email that was not addressed to him. On 27 May 2020 the parties were heard by the Disputes Chamber.
Dispute[edit | edit source]
The defendants were able to demonstrate that the Facebook profile picture of the complainant was publicly available and in no way protected. The organizations are also of the opinion that no personal data processing took place in this case because the complainant failed to demonstrate that his picture was structured according to the specific criteria. In case if the DPA finds that personal data processing took the place, the defendants invokes legitimate interest as a legal basis of processing and refers DPA to the judgement of the Sports Court prohibiting the complainant from attending training sessions, championships or other competition organized by Organization 1 for the period of one year.
On 8 October the complainant agreed that his profile pictures were publicly accessible. However, in his opinion legitimate interest was not applicable in this case because it was possible to find his picture by searching on Facebook directly. So the sharing of his picture via email was not necessary.
Holding[edit | edit source]
DPA held that: 1) Organization 2 was acting as a processor on behalf of Organization 1 when it shared complainant's pictures via email with third parties; 2) Personal data processing via automated means took place. The argument of the defendants that the complainant failed to demonstrate that his picture was structured according to the specific criteria was not relevant because the filing system criterion applies to manual processing only; 3) The fact that profile picture was publicly available doesn't mean that it can be used without legal basis; and 4) Legitimate interest was a valid legal basis in this case:
Purpose test satisfied, purpose: enforcing the judgement of the Sports Court; Necessity test satisfied: picture of the complainant was necessary to identify him. In addition, the controller edited the picture of the complainant is such a way, that another person on that photo was no longer visible, complying with the principle of data minimization; Balancing test satisfied: DPA took into account the reasonable expectations of the complainant and found that because the complainant made his picture publicly available, it was within his reasonable expectations that third parties might access that picture and use it. Moreover, according to the Sports Court judgement, organization 1 (controller) was required to communicate the prohibition to all organizers of completions in Belgium. Although the judgement did not specifically instruct organization 1 to share pictures of the complaint, DPA considered this necessary for the purpose of identifying the complainant.
Comment[edit | edit source]
It was not clear whether the legitimated interest assessment was provided by the defendant or executed by the DPA.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Page 1 1/11 Litigation room Substance decision 35/2020 of 30 June 2020 File number: DOS-2019-01240 Subject: Reuse of profile picture available on Facebook The Litigation Chamber of the Data Protection Authority, composed of Mr. Hielke Hijmans, chairman and Messrs Dirk Van Der Kelen and Jelle Stassijns, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation), hereinafter GDPR; Having regard to the Law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG; Having regard to the internal rules of procedure, as approved by the Chamber of Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Having regard to the documents in the file; Page 2 Substance decision 35/2020 - 2/11 has taken the following decision on: - Mr. X; hereafter “the complainant” - Y; hereinafter “first respondent” and Mr. Z; hereinafter “second defendant” 1. Facts and procedure 1. On 25 February 2019, the complainant lodged a complaint with the Data Protection Authority against the defendants. 2. The subject of the complaint concerns the distribution by e-mail to third parties, namely W as well as volunteers and employees of Y, from a screenshot of one on Facebook available profile picture of the complainant without his consent. According to the the complainant cannot be freely accessible, as he enjoys the highest level of protection through his settings. Also, the photo would have been edited by the second defendant so only it the complainant's face was made visible. 3. On 8 July 2019, the complaint will be declared admissible pursuant to Articles 58 and 60 WOG, the complainant is informed of this on the grounds of Article 61 of the WOG and the complaint is filed pursuant to Article 62, §1 WOG transferred to the Disputes Chamber. 4. On 23 July 2019, the Disputes Chamber will decide on the basis of Article 95, §1, 1 ° and Article 98 of the WOG the file is ready for thorough examination. 5. On 24 July 2019, the parties concerned will be notified of by registered mail the provisions as stated in Article 95, §2, as well as those in Article 98 WOG. Also they shall be informed of the deadlines for them pursuant to Article 99 WOG to submit defenses. The deadline for receipt of the reply of the defendants was thereby recorded on 6 September 2019, this for the conclusion of the complainant's reply on 7 October 2019. 6. On 6 August 2019, the defendants request a copy of the file (Article 95, §2, 3 ° WOG) 7. On 7 August 2019, a copy of the file will be sent to the defendants. Page 3 Substance decision 35/2020 - 3/11 8. On 14 August 2019, the defendants indicate that they will submit defenses (Article 98, 2 ° WOG), as well as to adjust the conclusion calendar. 9. On 23 August 2019, the parties will be notified by the Disputes Chamber of the adjusted conclusion terms. The deadline for receipt of the Opinion of The defendants' reply was recorded on 6 September 2019, this one for the The complainant's reply of 7 October 2019 to the defendants on 7 November 2019. 10. On 4 September 2019, the Disputes Chamber will receive the conclusion of an answer from the defendants. The defendants contend that the second defendant acted in his capacity of employee who acted on behalf of and for the account of the first defendant. The defendants then show that the photo has been determined by a bailiff to which the complaint relates is publicly accessible to everyone and was therefore by no means shielded. First, according to the defendants, no processing would take place because the the complainant does not demonstrate that the photo was structured according to specific criteria. The defendants refer in this regard to recital 15 GDPR. Insofar as there would be one processing, the defendants invoke the legitimate interest as a legal basis (Article 6.1 f) GDPR) and for this purpose refers to the judgment of the Sports Court in which the complainant ban was imposed on attending training courses, championships for 1 year or any other competition of any kind, organized under the sports authority of the first defendant. 11. In its conclusion, the defendants also consider the complainant's request to take action his right to erasure, which was not responded to by the defendants in accordance with the requirements of Article 12 GDPR. The defendants give the reason for this that the complainant's request did not indicate that any response was requested. The The Disputes Chamber can only determine in this respect that the absence of a response due to the defendants at this request are not part of the complaint. 12. On 8 October 2019, the Disputes Chamber will receive the reply from the complainant. In there informs the complainant that his complaint was initially directed against the second defendant he may have been mistaken in the facts, as the first defendant formally states that the second defendant acted on her instructions and by no means as a person in her own right capacity. Furthermore, the complainant claims to have never contradicted that the photo is free is accessible and can therefore be viewed and copied by everyone. The object of the complaint is the distribution of the photo as an attachment to an e-mail. The complainant argues that there is Page 4 Substance decision 35/2020 - 4/11 there is a data processing by stating that recital 15 GDPR is not in the regulations are included. According to the complainant, the defendants cannot rely on it legitimate interest as a legal basis for processing the photo as an attachment to an e- mail, since the recipients of the email could have found the photo themselves by to surf to the social network site Facebook. 13. On 30 October 2019, the Disputes Chamber receives the reply from the defendants. In it they indicate that they want to make use of the possibility of becoming heard (Article 98, 2 ° WOG). The defendants recall the elements of the Opinion of reply and add that the complainant referred to Article 124 of the Law of 13 June 2005 concerning electronic communication , because he deliberately has knowledge taken from an email message that was not addressed to him. 14. On 29 April 2020, parties will be informed that the hearing will take place on May 20, 2020. 15. On 27 May 2020, the parties will be heard by the Disputes Chamber. 2. Legal basis • Controller Article 4. 7) GDPR For the purposes of this Regulation: […] 7) "controller" means a natural or legal person, a public authority, a service or other body that, alone or with others, the purpose and means for the processing of personal data; when the goals of and means may be set out in Union or Member State law for such processing determine who the controller is or according to which criteria it is designated; Page 5 Substance decision 35/2020 - 5/11 • Legitimacy of processing Article 6.1. GDPR 1. Processing is lawful only if and to the extent that at least one of the following is provided conditions are met: […] (f) the processing is necessary for the defense of the legitimate interests of the controller or of a third party, except where interests or fundamental rights and the fundamental freedoms of the data subject requiring the protection of personal data, outweigh those interests, especially when the data subject is a child. Point (f) of the first subparagraph shall not apply to processing by public authorities under the performing their duties. 3. Justification 3.1. Controller 16. The complainant expressly addresses his complaint only to the second defendant and considers the first respondent is not responsible for the use of the photo without his permission and for sharing it with third parties, as respondent 1 would not have been aware. 17. The first defendant refutes this assertion and shows that the second defendant is in capacity of employee, acted entirely in the name and on behalf of the former defendant. As an employee of the second defendant, the second Respondent is ordered with the administration of its disciplinary and judicial bodies and has thus been appointed as “Registrar of the Sports Court ”. 18. The Disputes Chamber finds that the complainant became Y pursuant to a judgment of the Sports Court Y. sentenced to “ a general ban on attending training, championships or any other competition of any kind organized under the authority of sport of the Y, this for a period of 1 year. This prohibition extends to any place where the competition is taking place, including - but not limited to - the […] ” . Page 6 Substance decision 35/2020 - 6/11 19. For the implementation of this prohibition of attendance imposed on the complainant, In order of respondent 1 by respondent 2 an e-mail addressed to the sports commissioners of a specific, upcoming event in the W, as well as in “carbon copy” (cc) to the organizing party institution. Defendant 1 confirms that a photo of the complainant has been attached in order to allow the recipients of the email to recognize it if the complainant is would register despite the ban on attendance. 20. The entirety of these findings leads the Disputes Chamber to decide that the first defendant the purpose and means of execution of the judgment of the Sports Court has determined that the email with the photo attached was in her name and assignment dispatched by the second defendant acting solely as an employee of the first respondent and in that capacity is obliged to perform the duties assigned to him to accomplish. Thus, the first defendant should be classified as controller within the meaning of Article 4. 7) GDPR. 3.2. Processing 21. Insofar as the defendant argues that the reuse of the profile picture is freely available would not constitute processing on Facebook within the meaning of Article 4. 2) GDPR because of the fact that the complainant does not demonstrate that the photo was structured according to specific criteria, the Disputes Chamber in that regard on that article 2.1) GDPR read in conjunction with recital 15 of the GDPR, although an exclusion from the scope of the GDPR provides for files or a collection of files and their covers, which do not meet specific criteria are structured, but this exception applies only to manual processing 1 . In in the present case, however, it concerns the reuse of an online accessible photo taken by is sent to specific third parties by means of an e-mail message. 22. The Disputes Chamber is of the opinion that there is indeed a processing within the meaning of Article 4. 2) GDPR 2, since the photo is determined automatically in accordance with certain 1 Consideration 15 GDPR. In order to avoid a serious risk of circumvention, the protection of natural ones should be persons should be technology neutral and should not depend on the technologies used. The protection of natural persons should apply to both automated processing of personal data and manual processing thereof if the personal data has been stored or is intended to be stored in a file. Files or one collection of files and their folders, which are not structured according to specific criteria, should not be included in the scope of this Directive. 2 Article 4.2) GDPR: For the purposes of this Regulation, the following definitions apply: 'processing' means an operation or a whole of operations relating to personal data or a set of personal data, whether or not performed via automated processes, such as collecting, recording, organizing, structuring, storing, updating or changing, retrieving, consult, use, provide by forwarding, dissemination or otherwise make available, aligning or combining, shielding, erasing or destroying data; Page 7 Substance decision 35/2020 - 7/11 technologies was consulted for subsequent use and forwarded to third parties. 3.3. Lawfulness of processing 23. Although the complainant claims that the photo that is the subject of the complaint is the highest is protected through its institutions, the defendant shows by means of a finding to a bailiff that the photo in question is publicly accessible on the The complainant's Facebook page and profile picture can be reached without any hindrance and copied. The complainant then states in its reply that “everyone know that a profile photo is freely accessible ”, thus confirming that the photo is located in the public area of Facebook. 24. The Disputes Chamber states that both consulting and using a photo are one processing is within the meaning of the GDPR and that this processing is only permitted on the basis of a processing basis in Article 6.1 GDPR. The fact that the photo was made freely accessible by the person concerned, in no way allows the free reuse of the photo by third parties consult it. 25. The GDPR significantly limits the possibility of reusing publicly accessible personal data. The Dispute Chamber emphasizes that it the principle is that the fact that someone's profile photo is freely accessible to the public, does not mean that others may use it freely. Its use is only possible if there is a legal basis for this. The defendant appeals to that effect legitimate interest (Article 6.1 f) GDPR). 26. In accordance with Article 6.1 f) GDPR and the case law of the Court of Justice of the European Union Union (hereinafter “the Court”) must meet three cumulative conditions for one controller can legally invoke this legitimacy ground, " te know, first of all, the defense of a legitimate interest of the processing of the controller or of the third party (ies) to whom the data is provided, in the secondly, the need for the processing of the personal data for representation of legitimate interest, and, thirdly, the condition that the fundamental rights and freedoms of the person involved in data protection do not prevail " (judgment in “Rigas” 3 ). 3 CJEU, 4 May 2017, C-13/16, Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA Rīgas satiksme, recital 28. See also CJEU, 11 December 2019, C-708/18, TK t / Asociaţia de Proprietari bloc M5A-ScaraA, recital 40. Page 8 Substance decision 35/2020 - 8/11 27. In order to be able to invoke the lawfulness of law in accordance with Article 6.1 f) GDPR in other words, the “legitimate interest” should be submitted by the controller show that: - the interests which it pursues with the processing can be recognized as justified (the “target test”); the intended processing is necessary for the realization of these interests (the “Necessity test”); and the balancing of these interests against the interests, fundamental freedoms and fundamental rights from stakeholders weighs in it benefit from the controller (the “balancing test”). 28. As regards the first condition (the so-called “target test”), the Disputes Chamber of consider that the purpose of the exercise of the judgment of the Sports court can be classified for a legitimate interest. The importance that the defendant as controller may pursue in accordance with recital 47 GDPR are considered to be justified in themselves. Consequently, the first condition contained in Article 6.1 f) GDPR. 29. In order to fulfill the second condition, it must be demonstrated that the processing is necessary for the achievement of the objectives pursued. This means more provides that the question should be asked whether the same result can be achieved by other means be achieved without processing personal data or without unnecessarily drastic action processing for data subjects. 30. The complainant maintains that it was absolutely unnecessary to add the profile photo as an attachment attach to the email notifying the Sports Court's judgment to the sports commissioners, since the latter could have done the image themselves by consulting the social network site Facebook. The Dispute Chamber draws up on the basis of this, it is established that the complainant does not dispute that, on the grounds of the sports commissioners there is a real need for a photo as an identifier in order to allow the sports commissioners and the enable the organizer to maintain the prohibition of attendance imposed on the complainant. The complainant does not object to this either. The complainant only disputes that it was unnecessary add profile picture as an attachment to the e-mail sent to the sports commissioners and the organizer was sent and after it was edited additionally. Page 9 Substance decision 35/2020 - 9/11 31. The Disputes Chamber notes that the editing of the profile picture consisted of the others person who was on the profile picture was no longer visible, so only the image of the complainant could be seen in the photo. This gives the defendants the principle of minimum data processing (Article 5.1. c) GDPR) as the image of the other person was in no way required for the intended purpose of maintaining the ban on attendance. 32. In addition, the Dispute Chamber finds that the complainant's photograph was necessary for his identification, since the purpose is to maintain the ban on attendance imposed on the complainant cannot reasonably be achieved in any other way 4 than by processing a photo. The way in which the photo is made available, either via attachment to the relevant e-mail, or by direct consultation of the Facebook The complainant's page is irrelevant. Also on this point, the principle of minimum data processing (Article 5.1. c) GDPR). 33. In order to check whether the third condition of Article 6.1 f) GDPR - the so-called "Balancing test" between the interests of the controller on the one hand, and the controller fundamental freedoms and fundamental rights of the data subject, on the other hand - can be met, In accordance with recital 47 GDPR, reasonable ones should be taken into account expectations of the data subject. More specifically, it is necessary to evaluate whether “ Data subject at the time and in the context of the collection of the personal data may reasonably expect processing to take place for that purpose ” 5 . 4 Recital 39 GDPR. Any processing of personal data must be done properly and lawfully. For natural persons it should be transparent that they are collected, used, consulted or concerning them otherwise processed and to what extent the personal data are processed or will be processed. In accordance with it transparency principle, information and communication related to the processing of those personal data should be simple be accessible and understandable, and clear and simple language should be used. That principle concerns in particular the informing data subjects about the identity of the controller and the purposes of the processing, as well as further information to ensure proper and transparent processing with regard to natural persons in question and their right to receive confirmation and communication of their personal data being processed. Natural individuals should be made aware of the risks, rules, safeguards and rights associated with the processing of personal data, as well as how they can exercise their rights regarding this processing. Lake determined, the specific purposes for which the personal data are processed must be explicit and justified and be determined when the personal data is collected. The personal data must be adequate and relevant serve and be limited to what is necessary for the purposes for which they are processed. This requires with in particular, ensuring that the storage period of the personal data is kept to a strict minimum. Personal data may only be processed if the purpose of the processing is not reasonably in any other way can be accomplished. To ensure that personal data is not kept longer than necessary, it is necessary set deadlines for the erasure of data or for periodic review. All reasonable measures must be taken to ensure that incorrect personal data is rectified or erased. Personal data must be processed in a manner that provides appropriate security and confidentiality that data, including to prevent unauthorized access to or unauthorized use of personal data and the equipment used for the processing. (own underline) 5 Recital 47 GDPR. Page 10 Substance decision 35/2020 - 10/11 34. This is also emphasized by the Court in its judgment in “TK t / Asociaţia de Proprietari bloc M5A-ScaraA ”of December 11, 2019 6 , in which it states: “Also relevant to this consideration are the reasonable expectations of the data subject that they are or her personal data will not be processed when, in the circumstances in such a case, the data subject cannot reasonably continue to process the data expect". 35. Because the complainant himself published the photo in such a way that it is freely accessible for anyone, the Disputes Chamber considers that it is within the reasonable expectations of the complainant complains that third parties access and share publicly shared information use. The collection and use of the published personal data by however, these third parties are only lawful insofar as the processing of those personal data is carried out is based on a legal basis as provided in Article 6.1. GDPR. The Disputes Chamber will determine that the defendants rightly invoke Article 6.1. f) GDPR 7, since the verdict of the In addition to the ban on attendance imposed on the complainant, the sports court also stipulates that the Registrar at the Secretariat of Defendant 1 is requested to inform this prohibition bringing all organizers of competitions on Belgian territory. Although the verdict does not impose a photo of the complainant on this notification of the ban on attendance it is necessary, however, to check compliance with it ban on attendance on the part of the complainant, that the organizers of competitions on Belgian territory have any means whatsoever, such as the photograph of the complainant, to correct it if necessary - in case of non-compliance with the prohibition. 6 CJEU, 11 December 2019, C-708/18, TK t / Asociaţia de Proprietari bloc M5A-ScaraA, recital 58. 7 Recital 47 GDPR. The legitimate interests of a controller, including that of a controller controller to whom the personal data may be provided, or from a third party, may have a legal basis for processing, provided that the interests or fundamental rights and freedoms of the data subject are not overridden taking into account the reasonable expectations of the data subject based on his relationship with the controller. Such a legitimate interest may exist, for example, when there is a relevant and appropriate relationship between the data subject and the controller, in situations where the data subject is a customer or is employed by the controller. In any case, a careful assessment is required to determine whether there is a legitimate interest, as well as to determine whether a data subject is concerned at the time and in the context may reasonably expect the collection of the personal data to be possible for that purpose to be processed. In particular, the interests and fundamental rights of the data subject may override the interests of the data subject controller when personal data are processed in circumstances where the data subjects do not reasonably expect further processing. Since it is for the legislator to provide the legal basis for this that legal basis should not apply to the processing of personal data by public authorities processing by public authorities in the performance of their duties. The processing of personal data that strictly necessary for the prevention of fraud is also a legitimate interest of the controller concerned. The processing of personal data for direct marketing purposes can be considered as performed for the purpose of a legitimate interest. (own underline) Page 11 Substance decision 35/2020 - 11/11 36. The Disputes Chamber is of the opinion that the defendants rightly invoke Article 6.1 f) GDPR and no elements are provided that indicate that the defendants would have acted in violation of the requirements of the GDPR. 3.4. Publication of the decision 37. Having regard to the importance of transparency regarding the decision-making of the Dispute Chamber, this decision will be published on the Data protection authority. It is not necessary, however, for this to be the identification data of the parties are published directly. FOR THESE REASONS, The Dispute Chamber of the Data Protection Authority, after deliberation, decides on the basis of of Article 100, §1, 1 ° WOG, to dismiss the present complaint . Based on the information about which the Disputes Chamber at this time, although it does not currently consider it possible to take further action give to the complaint. Pursuant to Article 108, §1 WOG, an appeal can be lodged against a period of thirty days, from the notification, at the Marktenhof, with the Data protection authority as defendant. (get.) Hielke Hijmans Chairman of the Disputes Chamber